There are early signs of a new ransomware outbreak, currently affecting a large number of countries across the globe, such as the UK, Ukraine, India, the Netherlands, Spain, Denmark, and others.
The main culprit behind this attack is a new ransomware that researchers intially called Petya, because it resembled an older ransomware strain that encrypts MFT (Master File Tree) tables for NTFS partitions and overwrites the MBR (Master Boot Record) with a custom bootloader that shows a ransom note and prevents victims from booting their computer. Later, it was discovered this is a new strain altogether, which researchers have started referring to as NotPetya or Petna.
The NotPetya ransomware that encrypted and locked thousands of computers across the globe yesterday and today is, in reality, a disk wiper meant to sabotage and destroy computers, and not ransomware. This is the conclusion of two separate reports coming from Comae Technologies and Kaspersky Lab experts.
Experts say that NotPetya — also known as Petya, Petna, ExPetr — operates like a ransomware, but clues hidden in its source code reveal that users will never be able to recover their files.
This is because NotPetya generates a random infection ID for each computer. A ransomware that doesn’t use a command-and-control server — like NotPetya — uses the infection ID to store information about each infected victim and the decryption key.
Because NotPetya generates random data for that particular ID, the decryption process is impossible, according to Kaspersky expert Anton Ivanov.
The idea that NotPetya did not follow regular ransomware rules was first proposed by threat intelligence expert The Grugq, in a report published yesterday.
“The real Petya was a criminal enterprise for making money. This [NotPetya] is definitely not designed to make money,” The Grugq said. “This is designed to spread fast and cause damage, with a plausibly deniable cover of ‘ransomware.'”
Because of the ransomware’s global outreach, many researchers flocked to analyze it, hoping to find a loophole in its encryption or a killswitch domain that would stop it from spreading, similar to WannaCry.
While analyzing the ransomware’s inner workings, Amit Serper was the first to discover that NotPetya would search for a local file and would exit its encryption routine if that file already existed on disk.
The researcher’s initial findings have been later confirmed by other security researchers, such as PT Security, TrustedSec, and Emsisoft.
This means victims can create that file on their PCs, set it to read-only, and block the NotPetya ransomware from executing.
While this does prevent the ransomware from running, this method is more of a vaccination than a kill switch. This is because each computer user must independently create this file, compared to a “switch” that the ransomware developer could turn on to globally prevent all ransomware infections.
You can read about how to setup the vaccine on your PC in this article on Bleeping Computer.
To help prevent ransomware infection on your computer, always make sure your operating system is up to date, use a decent antivirus software from reputable companies (Norton / Avira / Kasperky / Avast / McAfee etc) and add an anti ransomware software from reputable sources (Malwarebytes / BitDefender / RansomFree / CryptoPrevent), always be careful when opening suspicious email attachment, and be very careful not to click suspicious link you find on the internet.
Sources: various articles on bleepingcomputer.com